burtongroupcatalyst10

March 24, 2010

Over the past several months, I’ve been working with fellow analysts Eric Maiwald, Ramon Krikken, and Trent Henry on a major research effort to understand how IT risk programs are conducted, what inhouse and industry risk assessment methodologies are being used, and what challenges security and risk professionals are facing. This research started with interviewing 19 IT risk program managers and specialists representing over a dozen client organizations. Next, each analyst focused on a specific methodology to understand its capabilities, strengths, and weaknesses. The first four methodologies we examined were: Carnegie-Mellon University OCTAVE, Information Security Forum IRAM, ISACA’s Risk IT Framework, and NIST SP 800-30. Documents covering each of these methodologies, a comparison of the four, and a summary of the risk assessment practices for the interviewed organizations will publish for Burton subscribers over the next couple of months. This research will also be featured in half day sessions at Catalyst in Prague, April 19-22, and Catalyst in San Diego, July 26-30.

The Catalyst experience is unlike any other technology conference, with full days of exceptional presentations spread over four or five rooms. Each half day or full day topic combines the perspective of analyst expert, customer architect/implementer, and industry solution providers. A conversation develops over the linked sessions in the topic track, to build on what’s been said previously, and drive towards some set of conclusions to close out the topic. These conversations continue into the breaks, as IT professionals from other organizations with similar challenges share their experience.

For this year’s Catalyst topic track on risk management, the program kicks off with an entertaining and informative investigation into the myths and realities of risk management, co-presented by Eric Maiwald and Trent Henry. This session also showcases the highlights from the research conducted over the last several months. The next presentation features another Burton expert, Bob Smock, sharing a specific example of using risk score cards. In Prague, representatives from HSBC and Munich ReInsurance will separately present their perspectives on IT risk assessment. Customer speakers for San Diego are still in the selection process. Finally, the topic wraps up with Burton’s Jack Santos sharing his insights into how to communicate with executives about risk.

There’s still time to signup to attend either of these upcoming Catalyst events and I hope to see you there. For more information see the Burton Catalyst site.

February 26, 2010

Back in November, I put up a blog post on Security in Context. I want to revisit that concept in light of a client question I received today. The client was asking about securing employee access to data – access anytime, anywhere, from any device. Clearly this is a problem that will only increase as enterprises move to the consumerization of client devices.

This is clearly a business issue – the business wants employees to be able to work wherever they are and when the employees want or need to work. At the same time, the data that the employees need to access is sensitive and needs to be protected. Just saying “no, you cannot access the data” will not work. So how can the risk to the information be managed?

There are options but all have disadvantages. Remote desktops could be used but that requires good, solid connectivity. If the business wants employees to be able to work on airplanes, remote desktops probably will not work. Enterprise rights management could be used to allow only authorized users to access data or perform only authorized activities. The choice of ERM solutions depends on the format of the data, how the files will be created, and the actions the user may want to take on the files. Client-side virtualization might be something the enterprise should look at in the future but the use of client-side virtualization may require some type of trusted hypervisor on the endpoints.

While it may seem that there is no real solution here, the fact is that there are potential solutions but these need to be evaluated within the context of the business problem. In this case, the problem is that sensitive information needs to be accessed by employees who are using unmanaged devices. A more detailed discussion needs to take place between security, IT, and the business to see which option offers the best solution to the problem.

Security in Context is the theme for security and risk management at Catalyst this year. Please join us April 19-22 in Prague or July 26-30 in San Diego for a discussion of Security in Context. If you are coming to Prague, you can use the promotion code “INSIDER” when you register for a discounted price of €995.